roadmap icon indicating copy to clipboard operation
roadmap copied to clipboard
verified publisher icon docker

Remedy Docker Scout false postive reports of golang based vulnerabilties using govulnchecker

Open grooverdan opened this issue 1 year ago • 0 comments

Tell us about your request

Because golang has so many vulnerabilities, any golang application superficially gets tagged with every vulnerability of golang.

Usually all are false positives.

Which service(s) is this request for?

Docker Scout

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

I, as a package maintainer, of the MariaDB Docker Official Images get panicking users complain about the security of the because on simple golang executable gosu.

Example: https://github.com/MariaDB/mariadb-docker/issues/546

Compounded by this is the Docker Scout results on Docker Hub

For example, using previous link:

  • stdlib - the golang bit - 3 Critical, 35 High, 16 Medium, .. and ALL ARE FALSE POSITIVES.

ref: https://github.com/docker-library/official-images/issues/14889

Are you currently working around the issue?

Writing docs https://github.com/MariaDB/mariadb-docker/blob/master/SECURITY.md (that aren't read as I'd like).

Answering issues frequently. Hating Docker Scout more each time it happens (not sure that's a work around).

Additional context

There's a program to check these https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck, so you don't need to report them.

grooverdan avatar Nov 28 '24 21:11 grooverdan